Privacy Policy
1. About this Privacy Policy
Every Blueprint we draw starts with a person trusting us with an idea — sometimes a fragment, sometimes a full product specification, often something private they haven't shown anyone else. This Privacy Policy explains what we do with the data that comes with that trust.
It applies whenever you use Toolum at https://toolum.ai or our application surface at app.toolum.ai. If you came here looking for a specific answer, the table of contents below points to the section that covers it. If you want the full picture, the document reads start to finish in about fifteen minutes.
1.1 Who we are
The controller responsible for Personal Data processed through Toolum is:
Kirill Maximenko (Cyprus self-employed entity)
Tax Identification Number: 60056031S
Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
Email: info@toolum.ai
"Controller" is the GDPR term for the party that decides what data is collected and what it's used for. That is us. When Toolum engages third-party services to help deliver the platform, those services act as our processors or sub-processors — they handle data only on our documented instructions and under contractual safeguards. The full list of sub-processors is published in our Subprocessor List.
1.2 What Toolum is
Toolum is an AI-powered no-code builder for digital products. Builders — the people who use Toolum — design and generate application mockups, design systems, content, and exportable code through natural-language prompts and visual editing. The platform combines large language model inference, a curated reference library spanning many industries, and a visual editor that runs in your browser.
When this Privacy Policy refers to "the Service" or "Toolum," it means the platform described above, including the marketing site, the application, the API, and the supporting infrastructure.
1.3 Who this Privacy Policy is for
This Privacy Policy applies to:
- Visitors to our marketing site and any public Toolum surfaces
- Builders — registered users who create projects, generate content, or export code through Toolum
- Anyone exercising data subject rights with respect to Personal Data Toolum holds about them
This Privacy Policy is the canonical disclosure document for our processing activities. It is complemented by the following:
- Subprocessor List — the current third-party services that process Personal Data on Toolum's behalf
- AI Transparency Statement — detailed disclosure of how AI inference works on Toolum, including provider routing, retention windows, and the curated industry reference library
- Terms of Service — the contract that governs your use of Toolum
- Cookie Policy — specific disclosure about cookies and similar technologies
- Data Processing Addendum (DPA) — for Builders processing Personal Data of their own end-users through Toolum
Where this Privacy Policy and any of those documents conflict on a specific point, the Privacy Policy and DPA prevail for binding interpretation, and the more specific document prevails on its specific subject matter.
1.4 Key terms used in this Privacy Policy
- Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- Processing — any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion (GDPR Article 4(2)).
- Builder — a registered user of Toolum.
- Blueprint — a project, design, generated specification, or code artifact produced through Toolum by a Builder.
- Service — the Toolum platform as described in Section 1.2.
- Subprocessor — a third-party service engaged by Toolum to process Personal Data on our behalf, listed in the Subprocessor List.
- GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation).
- EEA — the European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).
2. Personal Data we process
The Personal Data Toolum processes falls into the categories below. Each category lists what is collected, when it is collected, and the source of the data. We explain why we process each category in Section 3 (purposes) and on what legal ground in Section 4 (legal bases).
We collect only the Personal Data we need to deliver the Service, comply with the law, or fulfill a Builder's request. We do not knowingly collect Personal Data beyond these purposes.
2.1 Account Information
When you register for Toolum, we collect information that lets us identify your account and contact you about the Service.
| Data | When collected | Source |
|---|---|---|
| Email address | At registration | You |
| Display name (optional) | At registration or in profile settings | You |
| Password (stored as a salted hash, never in plain text) | At registration | You |
| Account creation timestamp, last-login timestamp | Automatic | Authentication system |
| Account tier (Free, Builder, Scale, and enterprise variants) | When you subscribe or change plans | Stripe + Toolum |
| Account identifier (UUID) | At registration | Toolum |
We do not require legal names, addresses, phone numbers, or government identifiers to create a Toolum account. If you provide them voluntarily in your profile or in support communications, they are processed as described in this Privacy Policy.
2.2 Content & Prompts (the Blueprints you Build)
The substance of what you create on Toolum — your prompts, your Blueprints, your generated content, your uploaded files — is the core Personal Data we hold on your behalf.
| Data | When collected | Source |
|---|---|---|
| Natural-language prompts you submit | When you send a prompt | You |
| Conversation history with AI assistants | Throughout your session | You + AI providers |
| Project structure, design system definitions, screen layouts | As you build | You + AI providers |
| Uploaded files (images, documents you attach to prompts) | When you upload | You |
| Generated code, generated content, exportable artifacts | As you generate them | AI providers, processed through Toolum |
| Project metadata (name, created/updated timestamps, collaborators) | As you create and edit projects | You + Toolum |
This is Customer Content under our Terms of Service. You own it. Toolum holds it on your behalf so that we can deliver the Service.
Customer Content and AI training. We do not use your Customer Content to train, fine-tune, or improve any AI model — neither our own systems nor the third-party models we route prompts through. Our AI inference providers (Anthropic, OpenAI, Google) are accessed under their commercial API terms, which by default exclude API inputs and outputs from provider model training. The detailed handling of Customer Content through AI processing pipelines is described in Section 5 and in our AI Transparency Statement.
If your prompts or Blueprints contain Personal Data of other individuals (for example, you are designing an app and include sample user names), you are the controller of that Personal Data and Toolum acts as your processor with respect to it. This relationship is governed by our Data Processing Addendum.
2.3 Usage & Telemetry
To operate the Service reliably, we collect information about how you use Toolum and how the application performs.
| Data | When collected | Source |
|---|---|---|
| Pages visited within the application | During your sessions | Automatic |
| Features used (which editor panels, which export actions) | During your sessions | Automatic |
| AI request counts, model selection, token consumption | Each AI request | Automatic |
| Error events, performance metrics, latency measurements | When errors occur or thresholds met | Automatic |
| Feature flag exposure (which experiments you saw) | When flagged features render | Automatic |
| Referrer URL (the site you arrived from, if any) | At session start | Automatic via PostHog (after analytics consent) |
This data flows through our analytics and observability subprocessor (PostHog, on the EU instance — see Subprocessor List Section 5.4). Where event payloads would otherwise contain Personal Data fields beyond an account identifier, our instrumentation excludes or hashes those fields before transmission.
2.4 Payment Information
When you purchase AI Credit Bundles or subscribe to a paid tier, payment information is processed by our payment subprocessor, Stripe Payments Europe Ltd. (Ireland).
| Data | Where processed | Where Toolum stores it |
|---|---|---|
| Payment card number, CVC, expiration | Stripe only | Never |
| Billing name, address, postal code | Stripe + Toolum (summary record) | Account record |
| Transaction history, invoice records | Stripe + Toolum | Account record, accounting system |
| Tax identification (where applicable) | Stripe + Toolum | Account record |
| Subscription status, tier, renewal dates | Toolum | Account record |
Toolum never sees, receives, or stores your card number. Stripe acts as an independent controller for payment data under its own Privacy Policy at https://stripe.com/privacy. We receive only the summary records we need for accounting, fraud prevention, and Service delivery (subscription status, transaction amounts, invoice metadata).
2.5 Technical and Device Information
When you interact with Toolum, our infrastructure automatically receives technical information about the connection and the device you use. We use this information both to deliver the Service and to protect it from abuse (see Section 3.4).
| Data | When collected | Purpose category | Status |
|---|---|---|---|
| IP address | Each request | Routing, abuse prevention, geographic compliance | Collected |
| Browser user-agent string | Each request | Compatibility, debugging, abuse prevention | Collected |
| Device locale signals (timezone, language reported by your browser) | Each session | Rendering, compatibility, abuse prevention | Collected |
| Extended device characteristics (screen resolution, color depth, available fonts, installed plugins) | Each session | Rendering, compatibility, abuse prevention | Planned — not yet collected |
| Browser fingerprint (a hash derived from the combination of the above) | Each session | Abuse prevention, account-integrity | Planned — not yet collected |
| Approximate geographic location (country, region, and city — inferred from IP address) | Each request | Routing, transfer mechanism selection, abuse prevention | Collected |
| Network metadata (autonomous system number) | Each request | Abuse prevention, anti-bot | Collected |
| Network reputation signals (commercial VPN, proxy, anonymizer, or known datacenter range) | Each request | Abuse prevention, anti-bot | Planned — not yet collected |
| Access patterns (timing, frequency, sequence of requests across sessions and across accounts you create) | Across sessions | Abuse prevention, account-integrity | Collected |
| Application version, client build identifier | Each session | Compatibility, security, abuse pattern detection | Planned — not yet collected |
We do not collect precise geolocation. We do not access your device's GPS, microphone, camera, contacts, or any other sensor beyond what your browser exposes for standard web rendering. The geographic location we derive is approximate — it identifies country, region, and city based on the IP address of your connection, with accuracy that varies from a few kilometers in dense urban areas to tens of kilometers in rural ones. We do not use this information to track your physical movements; we use it to route your requests to the right infrastructure, to apply the correct legal-transfer mechanism for your data, and to identify patterns of abuse (Section 3.4).
A note on fingerprinting (planned capability): as part of the phased anti-abuse rollout described in Section 3.4, Toolum plans to derive a stable device-and-browser identifier from a hash of the technical signals marked "Planned" in the table above. This identifier would not be your name, your email, or anything you provide to us directly — it would be a hash computed from technical signals. When this capability comes online, it will be used strictly for the abuse-prevention purposes described in Section 3.4, not for advertising and not for cross-site tracking. The legal basis will be our legitimate interest in protecting the Service and our paying Builders from abuse of our free tier (Section 4.2). We will update this Policy when this capability activates.
2.6 Communications
When you contact us — through email, support requests, or feedback channels — we process the contents of that communication.
| Data | When collected | Source |
|---|---|---|
| Email address you contact us from | When you write to us | You |
| Subject line, message body, attachments | When you write to us | You |
| Support ticket history | Throughout the support interaction | Toolum + you |
| Marketing email engagement (opens, clicks — only if you opted in) | When you interact with marketing emails | Resend (email subprocessor) |
We use this information to respond to your request, improve our support, and — only if you have explicitly opted in — send you product updates. You can withdraw marketing consent at any time using the unsubscribe link in any marketing email or by emailing info@toolum.ai.
3. How we use your Personal Data
We process the Personal Data described in Section 2 for the specific purposes set out below. Each purpose is mapped to a legal basis in Section 4. We do not process your Personal Data for any purpose that is incompatible with the purpose for which it was originally collected, except as permitted under GDPR Article 6(4) or where you have given consent.
3.1 To deliver the Service
We process Account Information, Content & Prompts, Usage & Telemetry, and Technical and Device Information to operate Toolum: to authenticate your account, render the editor, route your prompts through AI providers, store your Blueprints, generate exportable code, and return results to you.
Without this processing, the Service cannot function. The legal basis is contract performance (Section 4.1).
3.2 To process payments and manage subscriptions
We process Payment Information and Account Information to charge for paid tiers and AI Credit Bundles, to manage your subscription state, to issue invoices, and to comply with our tax-record obligations under Cyprus law.
Legal bases: contract performance for billing operations (Section 4.1), legal obligation for tax-record retention (Section 4.4).
3.3 To provide AI-generated outputs
We transmit your prompts and the project context Toolum constructs to AI inference providers (Anthropic, with OpenAI and Google as fallback) so that they can return generated outputs. We do not transmit your account identifier unless you explicitly include it in a prompt. Detailed AI processing — including the fallback chain, retention windows, the curated industry reference library, and provider-side training opt-outs — is described in Section 5 and in our AI Transparency Statement.
Legal basis: contract performance (Section 4.1).
3.4 To secure and protect the Service from abuse
We process Technical and Device Information, Usage & Telemetry, and where necessary Account Information to detect abuse, prevent fraud, mitigate denial-of-service attempts, investigate security incidents, and enforce our Acceptable Use Policy.
Toolum offers a free tier so that any Builder can evaluate the platform before committing to a paid plan. A small minority of visitors attempt to abuse this offer by creating multiple free accounts in order to consume AI inference resources without paying. Each free account that Toolum issues consumes real money in AI inference costs, so unchecked abuse would either deplete the free tier for legitimate Builders or force us to remove it entirely. To protect the free tier for everyone who uses it in good faith, Toolum operates an abuse-prevention system that:
- Combines technical signals — IP address, autonomous system number, geographic location, and registration and login patterns — into a network profile (with additional device-level signals to be incorporated as the capability is phased in, per the transitional disclosure below);
- Detects geographic and network anomalies — for example, multiple registrations originating from a single IP address or network range within a short time window, or sign-ins from geographically improbable locations within a short window (with VPN/proxy/anonymizer/datacenter detection to be incorporated as the capability is phased in, per the transitional disclosure below);
- Compares profiles across accounts to detect clusters of accounts that appear to be operated by the same person or automated system;
- Flags or restricts accounts that match patterns associated with mass-registration abuse, automated traffic, or coordinated free-credit consumption;
- Where abuse is confirmed, may suspend or close one or more accounts associated with the cluster and may prevent creation of new accounts associated with the same profile.
Any account closure decision triggered by this system is recorded with the underlying signals so that it can be reviewed. Builders affected by an abuse-related action have the right to request human review by contacting info@toolum.ai (see Section 13 on automated decision-making).
We do not refuse Service based on nationality, country of residence, or any other protected characteristic. The geographic and network signals described above are applied uniformly to all access patterns and are used solely to identify abusive behavior, regardless of where it originates.
Legal basis: legitimate interest in protecting the Service, our infrastructure, our paying Builders, and the sustainability of the free tier (Section 4.2). The balancing test we apply is summarized in Section 4.2.
Transitional disclosure (as of the Effective Date above):
Toolum is in the process of phasing in its anti-abuse capability. The current implementation collects the following subset of signals: IP address, autonomous system number, user agent, browser/OS, language, timezone, geographic location (country, region, and city), device type, session identifier, email pattern features, and access patterns.
Additional signals described above — including the browser fingerprint hash, device-characteristics enumeration, VPN/proxy/anonymizer flags, and detailed application-version fingerprinting — are being added in a subsequent phase of Toolum's development. We will update this Policy when those signals come online.
This phased approach ensures we deploy abuse-prevention with appropriate technical and legal safeguards rather than launching incomplete implementations. If you have questions about the current scope, contact us at info@toolum.ai.
3.5 To improve the Service
We process Usage & Telemetry and aggregated metrics to understand how Toolum is used, to identify performance bottlenecks, to prioritize feature work, and to measure the impact of changes. Where we run feature experiments, we measure exposure and outcomes against aggregated cohorts. We do not use Customer Content for product improvement and we do not use any Personal Data to train AI models.
Legal basis: legitimate interest in maintaining and improving the Service (Section 4.2).
3.6 To communicate with you about the Service
We process Account Information and Communications to send transactional messages: account confirmations, password resets, billing notifications, security alerts, material changes to this Privacy Policy or our Terms, and Service status updates.
Legal basis: contract performance and legitimate interest (Sections 4.1, 4.2).
3.7 To send marketing communications (only if you opt in)
If you explicitly opt in, we process your email address to send product updates, feature announcements, and educational content. You can withdraw consent at any time without affecting our ability to deliver the Service.
Legal basis: consent (Section 4.3).
3.8 To comply with legal obligations
We process Personal Data where we are required to by applicable law — for example, retaining payment records under Cyprus tax law, responding to lawful requests from competent authorities, or honoring data subject rights requests.
Legal basis: legal obligation (Section 4.4).
3.9 To enable Builders to exercise their rights
We process the minimum Personal Data needed to verify and respond to data subject rights requests (Section 10).
Legal basis: legal obligation (Section 4.4).
4. Legal bases for processing
Under the GDPR, every processing operation must rest on at least one of the lawful bases set out in Article 6(1). This Section explains the four bases on which Toolum relies and how each maps to the processing purposes described in Section 3.
4.1 Performance of a contract (GDPR Article 6(1)(b))
We rely on contract performance when the processing is necessary to deliver the Service you have asked us to provide, or to take steps you have requested before entering into a contract with us (for example, creating an account).
Processing purposes covered by this basis:
- 3.1 — To deliver the Service
- 3.2 — To process payments and manage subscriptions (billing operations specifically)
- 3.3 — To provide AI-generated outputs
- 3.6 — To communicate with you about the Service (transactional messages)
Without this processing, we cannot operate Toolum or honor our contractual commitments to you. If you do not provide the Personal Data necessary for these purposes (for example, an email address), we cannot deliver the Service to you.
4.2 Legitimate interests (GDPR Article 6(1)(f))
We rely on legitimate interest when the processing serves a real interest of Toolum or of a third party, when the processing is necessary to achieve that interest, and when our interest is not outweighed by the fundamental rights and freedoms of the Builders concerned.
Processing purposes covered by this basis:
- 3.4 — To secure and protect the Service from abuse
- 3.5 — To improve the Service
- 3.6 — To communicate with you about the Service (non-transactional Service-related notices)
Our balancing test (summary). Before we rely on legitimate interest for a given processing activity, we conduct a balancing test that weighs (i) the specific interest pursued, (ii) the necessity of the processing for that interest, (iii) the impact of the processing on Builders, and (iv) the safeguards that limit that impact. The substantive results for our two main legitimate-interest processing activities are:
- Service security and abuse prevention (Section 3.4). Our interest in protecting the Service, our paying Builders, and the sustainability of the free tier is substantial and recognized as legitimate under Recital 49 of the GDPR. The processing is necessary because no less intrusive measure (such as relying solely on email verification) reliably prevents the abuse patterns we observe. The impact on Builders acting in good faith is minimal because the signals collected are technical, the storage period is limited, and the system is designed to surface clusters of accounts rather than to profile individuals. Builders affected by an abuse-related action have a right to request human review (Section 13).
- Service improvement (Section 3.5). Our interest in maintaining and improving the platform is legitimate and shared by every Builder who relies on the Service to perform reliably. The processing is necessary to identify performance issues, prioritize feature work, and validate changes. The impact on Builders is minimal because the data is aggregated, instrumentation excludes or hashes Personal Data fields before transmission, and we do not use Customer Content for this purpose.
You have the right to object to processing based on legitimate interest at any time on grounds relating to your particular situation (Section 10).
4.3 Consent (GDPR Article 6(1)(a))
We rely on consent only where the processing is not covered by another lawful basis. The processing purposes covered by this basis are:
- 3.7 — To send marketing communications
Consent is collected explicitly at the point you opt in. You can withdraw it at any time using the unsubscribe link in any marketing email or by emailing info@toolum.ai. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal and does not affect our ability to deliver the Service (which rests on contract performance, not consent).
4.4 Legal obligation (GDPR Article 6(1)(c))
We rely on legal obligation when applicable law requires us to process Personal Data — for example:
- 3.2 — Tax-record retention under Cyprus law (in addition to the contract-performance basis for billing itself)
- 3.8 — Compliance with lawful requests from competent authorities, court orders, and regulatory requirements
- 3.9 — Responding to data subject rights requests within the timeframes set by Articles 12 and 15-22 of the GDPR
4.5 No reliance on other bases
Toolum does not currently rely on the remaining GDPR Article 6(1) bases — vital interests (point d), public interest or official authority (point e) — for any processing activity. We do not process special categories of Personal Data within the meaning of Article 9 unless you voluntarily include such data in your prompts or Blueprints, in which case Section 2.2 and our Data Processing Addendum apply.
5. How AI processing works on Toolum
This section gives a short overview of how AI processing flows through Toolum. The full technical detail — including the routing logic, retention windows at each provider, the curated industry reference library, and provider-side training opt-outs — is in our AI Transparency Statement.
5.1 The providers we route to
Toolum does not train or operate its own foundation models. Every AI-generated output you receive is produced by a third-party inference provider that we have engaged as a Subprocessor. We currently engage three providers:
- Anthropic (Claude models) — primary provider for most Builder interactions
- OpenAI (GPT models) — fallback when the primary provider is unavailable or rate-limited
- Google (Gemini models) — secondary fallback
The full identities, locations, and transfer mechanisms are listed in our Subprocessor List, Section 5.1.
5.2 What we send to providers
When you submit a prompt, Toolum constructs the request that is sent to the active provider. That request contains:
- Your prompt text
- The relevant conversation history from your current session
- Project context that Toolum has built from your Blueprint (design system tokens, screen structure, prior generated content, the curated industry references relevant to your project)
- Operational metadata required by the provider's API (for example, the model identifier and generation parameters)
We do not transmit your account identifier, your email, your billing information, or any other Personal Data unrelated to the generation request. If your prompt itself contains Personal Data (for example, because you typed names into it), that data travels with the prompt.
5.3 What providers do with it
All three providers are accessed under their commercial API terms. Under those terms, by default:
- Inputs and outputs are not used to train, fine-tune, or improve the provider's models;
- Inputs and outputs are retained only for short operational windows (typically up to 30 days) for abuse detection and incident response, and are then deleted automatically;
- Human review of inputs and outputs occurs only when a request is flagged by the provider's safety systems.
Where a provider offers Zero Data Retention as an option for commercial API customers, Toolum will evaluate enabling it when the resulting trade-offs (cost, latency, feature availability) are acceptable.
5.4 Outputs
Outputs returned by the provider are stored in your Toolum project as Customer Content (Section 2.2). You own them, subject to the limitations on AI-generated output rights described in our Terms of Service and our AI Transparency Statement.
5.5 The 35-industry reference library
Toolum maintains a curated reference library that gives the AI provider relevant industry context when generating Blueprints for a given category of digital product. This library is not a retrieval-augmented generation (RAG) corpus, it is not a vector embedding database, and it is not training data. It is a structured lookup table of public industry references that Toolum's engineers have compiled. No Personal Data of any Builder is stored in the reference library, and your Customer Content is never added to it.
6. How we share Personal Data
We share Personal Data only when there is a clear basis for doing so. The categories below are exhaustive — we do not sell Personal Data, we do not share it for the marketing purposes of any third party, and we do not disclose it in any way not described in this Privacy Policy or our Subprocessor List.
6.1 With our Subprocessors
To deliver the Service we engage third-party providers ("Subprocessors") that process Personal Data on our behalf and on our documented instructions. Subprocessors do not have an independent right to use Personal Data for their own purposes, and each is bound by a Data Processing Agreement consistent with GDPR Article 28.
The categories of Subprocessor we currently engage are:
| Category | What they do | Examples |
|---|---|---|
| AI inference | Generate Blueprint content from your prompts | Anthropic, OpenAI, Google |
| Infrastructure and platform | Host the database, application servers, content delivery, and domain registration | Supabase, MVPS.net, Cloudflare, Hostinger |
| Communications | Send transactional and marketing emails, process payments | Resend, Stripe |
| Analytics and observability | Aggregate product usage and error telemetry | PostHog (EU instance) |
The full list of currently engaged Subprocessors — with each provider's identity, processing role, primary location, and transfer mechanism — is published in our Subprocessor List. By using Toolum you provide a general written authorization for us to engage these Subprocessors and to add or replace Subprocessors as the Service evolves, as described in that document.
6.2 With competent authorities and for legal compliance
We disclose Personal Data to law enforcement, regulatory authorities, courts, and other competent bodies when we are required to do so by applicable law, a binding court order, or a valid legal process. Before complying with any such request we verify that the request is lawful, that it is properly served on the appropriate entity, and that the scope of disclosure is limited to what the request actually requires. Where the law allows, we will inform the affected Builder of the request.
We may also disclose Personal Data when we believe in good faith that disclosure is necessary to:
- Investigate or respond to a violation of our Terms of Service or Acceptable Use Policy;
- Prevent, detect, or address fraud, security incidents, or imminent harm to any person;
- Defend the legal rights of Toolum, our Builders, or third parties.
6.3 In connection with a business transaction
If Toolum is involved in a merger, acquisition, asset sale, financing, reorganization, or sale of all or part of our business, Personal Data may be transferred to the relevant counterparty as part of that transaction. Any such transfer will preserve the protections described in this Privacy Policy or will be accompanied by notice and, where required by law, the opportunity to object. As of the Effective Date of this Privacy Policy, Toolum is operated by a Cyprus self-employed entity and no such transaction is in progress or contemplated.
6.4 Aggregated or de-identified information
We may create and share aggregated or de-identified information — for example, statistics about overall Service usage, aggregate AI consumption patterns, or anonymized performance benchmarks — that does not identify any individual Builder. Once information has been irreversibly aggregated or de-identified, it is no longer Personal Data and is not subject to this Privacy Policy.
We do not use Customer Content in the construction of such aggregates.
7. International transfers
Toolum is operated from Cyprus, which is within the European Economic Area (EEA). Our infrastructure subprocessors (Supabase, MVPS.net, Hostinger) and our payment subprocessor (Stripe Payments Europe Ltd.) process EU-originating Personal Data within the EEA. For these flows, no international transfer to a third country occurs.
Other Subprocessors process Personal Data in the United States — specifically, our AI inference providers (Anthropic, OpenAI, Google), our content delivery network (Cloudflare), and our transactional email provider (Resend). Transfers to these providers are governed by valid GDPR transfer mechanisms.
7.1 The EU-US Data Privacy Framework
Each of Anthropic, OpenAI, Google, Cloudflare, and Resend is self-certified under the EU-US Data Privacy Framework ("DPF"). The European Commission's adequacy decision of 10 July 2023 recognizes that transfers of Personal Data from the EEA to organizations self-certified under the DPF enjoy an adequate level of protection. You can verify each provider's current DPF certification status on the official Data Privacy Framework list at https://www.dataprivacyframework.gov.
7.2 Standard Contractual Clauses as a parallel safeguard
In parallel with DPF reliance, our contracts with each US-based Subprocessor incorporate the European Commission's Standard Contractual Clauses ("SCCs") — Module 2 (controller to processor) — adopted under Decision (EU) 2021/914. SCCs operate as a contingency safeguard if the DPF is invalidated by a future court ruling or revoked by either party to the agreement.
7.3 Onward transfers
The Subprocessors listed above may engage their own sub-processors (for example, cloud infrastructure providers). Each is contractually required to apply substantially equivalent data protection terms to any sub-processor it engages, including DPF certification or SCCs for onward transfers outside the EEA.
7.4 Your right to transfer documentation
You can request copies of the transfer-related documentation we hold (DPF certifications, executed SCCs, transfer impact assessments) by emailing info@toolum.ai. We will provide what we can without breaching confidentiality obligations to our Subprocessors. Enterprise Builders with a signed Data Processing Addendum receive more detailed documentation rights under that contract.
8. How long we keep your Personal Data
We retain Personal Data only for as long as we need it to deliver the Service, comply with the law, defend our legitimate interests, or fulfill the purpose for which it was collected. The default rule is straightforward: when you delete your Toolum account, your Personal Data is deleted from our active systems within thirty (30) days, with the limited exceptions listed below.
8.1 Retention by category
| Category | Retention period | Reason |
|---|---|---|
| Account Information (Section 2.1) | Until account deletion + 30 days grace | Operational reversal window for accidental deletion; full removal after grace period |
| Content & Prompts — Customer Content (Section 2.2) | Until account deletion + 30 days grace | Same as above; Customer Content is yours and follows your account |
| AI provider-side inference logs | Typically up to 30 days at each provider, governed by that provider's commercial API terms | Provider abuse detection and incident response |
| Usage & Telemetry (Section 2.3) | 90 days in identifiable form; longer in aggregated form | Operational debugging window; aggregated retention is not Personal Data |
| Payment Information — Toolum-held summary records (Section 2.4) | 7 years after the end of the fiscal year of the transaction | Cyprus tax-record retention law |
| Payment Information — Stripe-held data | Per Stripe's own retention policy (https://stripe.com/privacy) | Stripe acts as independent controller |
| Technical and Device Information (Section 2.5) | 90 days in identifiable form; abuse-prevention device profiles up to 12 months after last activity | Operational + abuse-detection window |
| Abuse-prevention decision records (Section 3.4) | Until account closure + 90 days for review and appeal | Audit trail for Article 22 human-review requests |
| Communications (Section 2.6) | 3 years from last contact, or until you request deletion | Quality of ongoing support relationship; statute of limitations on related claims |
| Marketing consent records | Until consent withdrawal + 3 years | Demonstrate lawful basis if consent is later disputed |
| Audit and security logs | 12 months | Security incident investigation window |
8.2 When we keep Personal Data longer than the default
We may retain Personal Data beyond the periods above in the following circumstances, and only for as long as the relevant ground applies:
- Active legal claim or investigation. Where the data is the subject of, or material to, a legal claim, regulatory investigation, or dispute resolution process — we retain it until the matter is finally resolved and the applicable limitation period has expired.
- Compliance with a binding legal hold. Where a law, court order, or competent authority requires us to retain specific Personal Data — we retain it for the period required by that legal instrument.
- Backup and disaster recovery. Personal Data may persist in encrypted, access-restricted backup snapshots for up to ninety (90) days after deletion from active systems. Backup data is not used for any purpose other than disaster recovery and is overwritten on the standard rotation cycle.
8.3 What "deletion" means in practice
When we delete Personal Data, we remove it from our active production databases and we stop processing it for any purpose. Encrypted residues may remain in backup snapshots for the period above and are then overwritten. We do not retain shadow copies, secondary databases, or analytics exports tied to a deleted account.
9. How we protect your Personal Data
We apply technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. No system is impenetrable, but the measures below reflect what we currently operate.
9.1 Technical measures
- Encryption in transit. All connections to Toolum use TLS 1.2 or higher.
- Encryption at rest. Personal Data stored in our primary database (Supabase) is encrypted at rest using industry-standard symmetric encryption.
- Password handling. Passwords are never stored in plain text; we store salted hashes computed with a recognized password-hashing algorithm.
- Secrets management. API keys, signing keys, and other secrets are stored in environment variables on hardened infrastructure and are rotated when staff with access change.
- Network controls. Production services are deployed behind a content delivery network and edge protection layer that mitigates denial-of-service attempts and filters known malicious traffic.
- Logging and monitoring. Authentication events, administrative actions, and unusual access patterns are logged and reviewed.
- Dependency hygiene. We track security advisories for the libraries we depend on and apply security updates on a defined cadence.
9.2 Organizational measures
- Least-privilege access. Access to production systems containing Personal Data is restricted to the minimum personnel necessary to operate and support the Service.
- Access reviews. Personnel access to Personal Data is reviewed periodically and revoked promptly on role change.
- Confidentiality. Personnel with access to Personal Data are subject to confidentiality obligations.
- Subprocessor diligence. We assess each Subprocessor's security posture before engagement and on an ongoing basis (see Section 4 of our Subprocessor List).
- Incident response. We maintain procedures for identifying, containing, and remediating security incidents, and for notifying affected Builders and competent authorities where the GDPR requires it.
9.3 Personal data breach notification
If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the Cyprus Commissioner for Personal Data Protection without undue delay and, where feasible, within 72 hours of becoming aware, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, as required by GDPR Article 34, using the contact details on your Toolum account.
9.4 Your role in security
You play a part in keeping your account secure. We ask that you:
- Use a strong, unique password for your Toolum account;
- Keep your authentication credentials private;
- Notify us promptly at info@toolum.ai if you suspect unauthorized access to your account.
10. Your rights as a Builder
The GDPR gives you a set of rights with respect to the Personal Data we hold about you. This section explains those rights, how to exercise them, and the limits that apply.
10.1 The rights you have
- Right of access (Article 15). You can ask us to confirm whether we process Personal Data about you and, if so, to provide a copy of that data and information about how it is processed.
- Right to rectification (Article 16). You can ask us to correct Personal Data that is inaccurate or to complete data that is incomplete.
- Right to erasure (Article 17). You can ask us to delete Personal Data about you. Deletion will be honored unless we are required or entitled to retain the data for one of the grounds in Section 8.2 or Article 17(3) of the GDPR.
- Right to restriction (Article 18). You can ask us to restrict the processing of your Personal Data in specific circumstances — for example, while we verify the accuracy of contested data.
- Right to data portability (Article 20). You can ask us to provide the Personal Data you have given us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.
- Right to object (Article 21). You can object, at any time and on grounds relating to your particular situation, to processing based on legitimate interest (Section 4.2). You can object at any time and unconditionally to processing for direct marketing purposes.
- Right to withdraw consent (Article 7(3)). Where processing is based on consent (Section 4.3), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to a decision based solely on automated processing (Article 22). See Section 13 below for how this applies to the abuse-prevention system described in Section 3.4.
- Right to lodge a complaint with a supervisory authority (Article 77). See Section 10.4 below.
10.2 How to exercise your rights
Send a request to info@toolum.ai. Tell us which right you are exercising and provide enough information for us to identify your account.
We respond within one month of receiving your request, as required by GDPR Article 12(3). The period may be extended by a further two months where necessary, taking into account the complexity and number of requests; if we extend, we will tell you within the first month and explain why.
There is no fee for exercising your rights unless your request is manifestly unfounded or excessive (for example, repetitive), in which case we may charge a reasonable fee based on administrative costs or decline to act on the request. If we decline, we will tell you why and inform you of your right to complain to a supervisory authority.
10.3 Verifying your identity
To protect Personal Data from being disclosed to the wrong person, we may ask you to confirm your identity before responding to a rights request — for example, by sending the request from the email address associated with your Toolum account or by completing a short verification step. We collect only the minimum information necessary to confirm that you are the data subject the request concerns.
10.4 Your right to lodge a complaint
If you believe we have not handled your Personal Data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.
For Toolum specifically, our lead supervisory authority is the Commissioner for Personal Data Protection of the Republic of Cyprus:
Office of the Commissioner for Personal Data Protection
Office address: Kypranoros 15, 1061 Nicosia, Cyprus
Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus
Telephone: +357 22 818456
Email: commissioner@dataprotection.gov.cy
Website: https://www.dataprotection.gov.cy
We would always prefer the opportunity to address your concern directly first — write to info@toolum.ai before or instead of complaining if you would like to give us a chance to resolve the matter.
11. Cookies and similar technologies
Toolum uses a small set of cookies and similar local-storage technologies to make the Service work. The categories we use are:
- Strictly necessary. Cookies and tokens that authenticate your session, remember your tier, and preserve your preferences during a session. These cannot be switched off without breaking the Service.
- Functional. Local storage that remembers UI preferences (theme, panel layout) within your browser. This data does not leave your browser.
- Analytics. First-party analytics for understanding aggregate Service usage, served through our analytics subprocessor (PostHog, EU instance — Section 5.4 of Subprocessor List). We do not use third-party advertising cookies and we do not allow advertising networks to set cookies on Toolum surfaces.
Where local law (including the EU ePrivacy Directive as implemented in Cyprus) requires consent for non-essential cookies, we collect that consent through a cookie banner before any non-essential cookie is set.
Our full disclosure on cookies — including the specific cookie names, durations, and the consent mechanism — is in our Cookie Policy.
12. Children's data
Toolum is not directed to children, and we do not knowingly process the Personal Data of anyone under the age of sixteen (16). If you are under sixteen, please do not create a Toolum account and do not provide us with Personal Data.
If we learn that we have collected Personal Data from a person under sixteen without confirmed parental authorization, we will delete that data as soon as reasonably possible. If you are a parent or guardian and you believe your child has provided Personal Data to Toolum, contact info@toolum.ai and we will act on the matter without delay.
The age threshold above reflects the Republic of Cyprus's national implementation of GDPR Article 8(1), which sets sixteen as the age at which a child can consent to information society services without parental authorization. In other jurisdictions where a higher age threshold applies (for example, eighteen), the higher threshold applies to Builders habitually resident in those jurisdictions.
13. Automated decision-making
GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you. This Section explains where automated decision-making occurs on Toolum, what safeguards apply, and how you can ask for human review.
13.1 Where we use automated decision-making
Toolum operates one automated decision-making process: the abuse-prevention system described in Section 3.4.
That system processes Technical and Device Information (Section 2.5) and Usage & Telemetry (Section 2.3) to identify clusters of accounts associated with mass-registration abuse, coordinated free-credit consumption, or automated traffic. When the signals associated with an account match patterns the system is configured to detect, the account may be:
- Flagged for additional friction (for example, a verification step before further AI consumption);
- Restricted from specific Service functionality (for example, free-tier AI credits paused);
- Suspended or closed, and prevented from registering further accounts associated with the same device-and-network profile.
The third outcome (suspension or closure) is the one that, in our assessment, may significantly affect a Builder. We treat it as a decision within the scope of GDPR Article 22 and apply the safeguards in Section 13.2 below.
13.2 The safeguards we apply
For any account suspension or closure triggered by the abuse-prevention system:
- The decision is recorded with its signals. Every automated suspension or closure produces an audit-log entry that captures the signals on which the decision was based, the time it was made, and the action taken. This record exists so that the decision can be reviewed.
- You have the right to human review. You can ask a Toolum staff member to review the decision and the underlying signals. Send a request to info@toolum.ai with the subject line "Account review request" and the email address associated with the affected account. We aim to respond within seven (7) business days and to issue a final review decision within thirty (30) days.
- You have the right to express your point of view. Your request for review can include any context, explanation, or evidence that you would like the reviewer to consider. We will read it before issuing a final decision.
- You have the right to contest the decision. If the human review confirms the suspension or closure and you disagree with the outcome, you can lodge a complaint with the Cyprus Commissioner for Personal Data Protection (Section 10.4).
13.3 What automated decision-making we do not do
For clarity, Toolum does not use automated decision-making to:
- Set prices, offers, or discounts on an individual Builder basis;
- Assess creditworthiness;
- Make hiring, employment, or insurance decisions;
- Profile Builders for the purposes of any third party;
- Build or share psychological, behavioral, or demographic profiles for marketing.
We also do not use the abuse-prevention system to filter the content of your prompts or your Blueprints. AI provider safety systems may filter generation outputs at the provider level — that processing is described in the AI Transparency Statement, not here.
13.4 Provider-side automated decisions
The AI inference providers we route to (Section 5) operate their own safety systems that may filter, refuse, or modify AI-generated outputs based on the provider's own content policies. Those decisions are made by the provider, not by Toolum, and are governed by the provider's own terms and privacy policy. If a provider's safety system blocks a generation, Toolum surfaces the block to you so that you can revise the prompt or try a different approach.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time — to reflect changes in the Service, in our Subprocessors, in applicable law, or in the way we handle Personal Data.
14.1 How we publish changes
When we update this Privacy Policy:
- The "Last Updated" date at the top of the document is revised.
- The "Effective Date" is revised when changes take effect.
- A change summary is published alongside the document, describing what changed and when.
- Historic versions are available at their dated URLs under
/legal/privacy/<date>and preserved in our public repository, so that you can see the full version history.
14.2 When we notify you of changes
For changes that materially affect your rights or the way we process your Personal Data, we provide notice through one of the following channels at least fourteen (14) days before the change takes effect:
- An email to the address on your Toolum account;
- An in-product notification when you next sign in;
- A prominent notice on https://toolum.ai.
For non-material changes — typo corrections, link updates, structural rewording that does not change the substance of any disclosure — we update the document and revise the "Last Updated" date without separate notice.
14.3 Your options when we change this Policy
If you do not agree with a material change to this Privacy Policy, you may stop using the Service and request deletion of your account before the change takes effect. Per our Refund Policy, unused AI Credit Bundles purchased before the change are refundable on a pro-rata basis.
15. Contact
For any question about this Privacy Policy, about how Toolum processes your Personal Data, or to exercise any of the rights described in Section 10:
Controller
Kirill Maximenko (Cyprus self-employed entity)
Tax Identification Number: 60056031S
Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
Email: info@toolum.ai
Cyprus supervisory authority
Office of the Commissioner for Personal Data Protection
Office address: Kypranoros 15, 1061 Nicosia, Cyprus
Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus
Telephone: +357 22 818456
Email: commissioner@dataprotection.gov.cy
Website: https://www.dataprotection.gov.cy
Related documents
- Subprocessor List
- AI Transparency Statement
- Terms of Service
- Cookie Policy
- Refund Policy
- Data Processing Addendum (DPA)
- Acceptable Use Policy
This Privacy Policy is published by Toolum (Kirill Maximenko, Cyprus self-employed entity). It is the canonical disclosure of how we process Personal Data. Where this Privacy Policy and any of the Related Documents conflict on a specific point, this Privacy Policy and the Data Processing Addendum prevail for binding legal interpretation.
Document version 1.0. Effective June 5, 2026.